© Copyright 2005 (ISC) 2® All Rights Reserved. 1 Law, Investigations, and Ethics v5.0 Law, Investigations, and Ethics

© Copyright 2005 (ISC)2® All Rights Reserved.

1Law, Investigations, and Ethics v5.0

Law, Investigations, and Ethics



Domain Layout

This Domain is divided into three

sections:

– Law

– Investigations

– Ethics



Law Introduction & Objectives

• This domain addresses computer crime laws and regulations that affect organizations and personnel.

• The CISSP will be able to describe the laws and legal issues that are applicable to computer crime.



Investigations Introduction & Objectives

This domain addresses:• The investigative measures and techniques that

can be used to determine if a crime has been committed.

• Investigation of crime incidents, collection of evidence, and contacting of law enforcement.

• The CISSP will be able to describe the forensic methods that are used to gather and preserve evidence and investigate computer crimes.



Ethics Introduction & Objectives

• This domain addresses information security ethics as applied to society, employees and (ISC)2 members.

• The CISSP will understand the ethical issues and the code of conduct applicable for the security professional.



Goals of Information Security

• The common thread among good information security objectives is that they address all three core security principles.

AvailabilityAvailability

Con

fiden

tialit

y

Prevents unauthorized

disclosure of systems and

information.

IntegrityPrevents unauthorized

modification of systems and

information.

Prevents disruption of

service and productivity.



Law & Computer Crime



Objectives

• CISSP needs to be aware of legal issues, new legislation and regulatory requirements.

• CISSP needs to provide management with:– Assurance of compliance with legal

requirements – Awareness of legal liabilities or areas of

possible no-compliance



Section Objectives

• Understand the issues related to information security and law

• List the major legal systems• Understand intellectual property laws and

how they give protection to information• Understand the legal principles dealing with

privacy• Understand the legal liabilities of corporate

officers in protecting assets of the corporation• Define due care and due diligence



Law and Computer CrimeSubtopics

• Information Security Related Legal Issues

• Major Legal Systems

• Intellectual Property Laws

• Privacy Laws

• Liability of Corporate Officers



Information Security Related Legal Issues

• Three types of harm usually addressed in computer crime laws:

– Unauthorized access– Unauthorized alteration,

destruction, or disclosure of information

– Insertion of malicious programming code



Computer Crime Categories

• Computer Assisted Crime: –Criminal activities that are not

unique to computers, but merely use computers as tools to assist the criminal endeavor (e.g., fraud, child pornography).



Computer Crime Categories, cont.

• Computer Targeted Crime:– Crimes directed at computers, networks

and the information stored on these systems (e.g., denial of service, sniffers, attacking passwords).

• Computer is Incidental– The Computer is incidental in the criminal

activity (e.g., customer lists for traffickers).



Computer Crimes and Related Laws

• Computer-related crimes and abuses e.g., denial of service

• Malware• Software piracy• Illegal content issues (child pornography)• Wire fraud and mail fraud• Lack of computer crime legislation has led

to prosecution through traditional laws



Computer Crime Law Issues

• Defining electronic information or data • Unlawful destruction of data or denial of

service • Using a computer to commit, aid, or abet

crime• Defining intellectual property• Complex legal definitions of technical issues • Private sector lack of reporting • Sentencing guidelines



International Issues

• Some countries have no or poorly defined computer crime laws

• Law enforcement technical capabilities vary

• Governments may not wish to assist each other in international cases

• Trans-national criminal activity• Jurisdictional legal disputes



International Differences

• It is very important to gain commonality of legal understandings (harmonization) and an agreement to work together (cooperation) regarding the prevention, detection, prosecution, and reporting of computer crimes.



Information Security Legal Issues

• Legislation is being created to include:

– Electronic contracts and non-repudiation– Encryption import, export, and usage – Internet violations – Identity theft– Network attacks– Protection of personal information







• Privacy Laws




Major Categories of Law

• Civil Law

• Common Law

– Criminal Law

– Civil (Tort) Law

– Administrative Law

• Customary Law

• Religious Law Systems

• Mixed Law Systems



World Legal Systems

Source: WorldLegalSystems, http://www.droitcivil.uottawa.ca/world-legal-systems/eng-monde.html



Civil or Code Law

• Originally civil law was a common legal system in much of Europe

• It is based on a comprehensive system of written rules of law and divided into commercial, civil, and criminal codes.



Common Law

• This type of law developed in historical England.

• It is based on tradition, past practices, and legal precedents set by courts through interpretation of statutes, legal legislation, and past rulings.



Categories of Common LawSubtopics

• Common Law System

– Criminal Law

– Civil Law

– Administrative or Regulatory Law



Criminal Law

• Individual conduct that violates government laws that are enacted for the protection of the public.

• Violations of criminal law regarding computer crimes can lead to a variety of punishments, including imprisonment, financial penalty, loss of right to work with computers, etc.



Civil (not Code) Law

• Wrong against individual or business that results in damage or loss.

• Violations of civil law regarding computer crimes can lead to financial restitution or compensatory damages. There is no prison time.



Administrative or Regulatory Law

• Standards of performance and conduct expected by official regulatory bodies from organizations, industries, and certain officials or officers.

• Banks

• Insurance companies

• Stock markets

• Food and drug companies



Customary Law Systems

• Customary law plays a significant role in matters of personal conduct.

• Its foundation is based on customs, traditions, etc.

• Predominantly found in countries or political entities with mixed legal systems:– African countries, China, India



Religious Law Systems

• Based on religious beliefs.

• Traditionally divided into:– Religious duties – Obligations to other people



Mixed Law Systems

• This category includes political entities where two or more systems apply cumulatively or interactively (e.g., Muslim and Common Law).







• Privacy Laws




Major IP Law Categories

• Patent

• Trademark

• Copyright

• Trade Secrets



Intellectual Property Laws

• Patent

– A patent grants the owner a legally enforceable right to exclude others from practicing the invention covered

– It protects novel, useful and non-obvious inventions

• Trademark ™

– Any word, name, symbol, color, sound, product shape or device or combination of these used to identify goods & distinguish them from those made or sold by others



Intellectual Property Laws (cont.)

• Copyright © – Covers the expression of ideas rather than

the ideas themselves - “original works of authorship”

• Trade Secret – Proprietary business or technical information

which is confidential and protected as long as it’s owner takes certain security precautions







• Privacy Laws




Privacy Laws

Privacy Laws could include:

• Information privacy - collection and handling of personal data

• Medical Records

• Communications privacy - protection of mail, phones, email, etc



Need for Privacy Laws

• Globalization - distribution of information beyond a single nation’s borders – world markets.

• Trans-border data flow – how different nations provide privacy protection of an individual’s information.

• Convergent technologies – technical means of gathering, analyzing, and distributing information.

• Data retrieval advances – methods of creating vast repositories of personal information.



Privacy Laws

Privacy recognized as fundamental right in many nations.

• United Nations Declaration of Human Rights • Privacy Act of 1974 (United States)• European Union Principles• The International Covenant on Civil & Political

Rights• Organization for Economic Cooperation and

Development • Existing or newly written constitutions



European Union Principles

• Data collected fairly and lawfully

• Data only used for the purposes for which collected and only for reasonable time

• Persons entitled to receive a report, on request, on data about them

• Accurate and, where necessary, kept up to date



European Union Principles (cont.)

• One’s personal data cannot be disclosed to 3rd parties unless authorized by statute or consent of individual

• Persons have a right to make corrections to their personal data

• Transmission to locations where “equivalent” personal data protection cannot be assured is prohibited



Models of Privacy Protection

• Regulatory model

• Industrial regulations

• Self-regulation– Companies/industries - Codes of

practice

• Individual user (Self protection)– PGP and other self-protections



Privacy Issues in the Workplace

• Employee electronic monitoring

• Email monitoring

• Document monitoring

• Internet activity monitoring

• Personally Identifiable Information



Employee Monitoring Issues

Legal actions that must be taken prior to performing electronic monitoring include:

– Establish use policy for systems– Distribute policy to users of the system. – Notify your employees that you are

monitoring.– Ensure that monitoring is used in a lawful

manner such as consistent monitoring across all employees and only monitoring work-related activities.







• Privacy Laws




Due Care

• It is the concept that corporate officers and others with fiduciary responsibilities must meet certain requirements to ensure corporate security.



Legal Responsibility for Security

• Due Care– Taking responsibility

for security– Demonstrating that

responsibility is taken– Planning for threats

and vulnerabilities– Documenting the

process

• Due Diligence– Implementing controls

– Ensuring controls are monitored and updated

– Having a team that assesses all threats and evaluates loss

– Reviewing adequacy of threat analysis

– Ongoing risk assessment and documentation



Elements of Negligence

• Legally recognized obligation– Perform to a standard of conduct

• Protect others from unreasonable risks

• Failure to conform to a required standard

• Proximate causation

• Resulting injury is actual loss or damage to another



If there is a Breach of Security

• Liability and the failure to institute appropriate information security measures may result in:– Organization and Board of Directors may be

held liable (individually and personally) • Board of Directors fiduciary responsibility to

stockholders to protect assets of corporation

– Corporation may be liable to others • Contractually • Under doctrines of civil law



Quick Quiz

• What are the major legal systems that exist around the world?

• What are the three sub-categories of law under Common Law?

• Why do the different legal systems create a challenge in dealing with computer crime?

• List the intellectual property laws.• What are some of the key items in the

European Union Privacy principles?• Define Due Care.



Section Summary

• The major legal systems include Common Law, Code Law, Customary Law, Religious Law, and Mixed Law systems.

• Three categories under Common Law are Criminal, Civil and Administrative.

• Having different legal systems around the world creates a challenge for several reasons, they include different interpretation of crimes, different evidence requirements, lack of cooperation, etc.

• Intellectual property laws include Patents, Trademarks, Copyright, and Trade Secrets.

• Key items in the European Union Privacy principles include collecting data fairly and lawfully, keeping it for a reasonable amount of time, ensuring its accuracy and security, needing consent to disclose to third parties, allowing ‘owners’ to view and modify as appropriate, etc.

• Due care is the concept of what a reasonable person would do under like circumstances, therefore as it applies to information security, it is making sure that companies implement reasonable controls that other ‘like’ companies would also implement.



Investigations



Section Objectives

• Understand the issues related to computer forensics.

• Understand the legal requirements for electronic evidence.

• Understand the concept of the ‘chain of custody’ of evidence.

• List the requirements for the admissibility of computer evidence.

• Understand incident response capability and the associated phases of the escalation process.



Reliable Investigations

• Need to conduct reliable investigations that will stand up to scrutiny and cross-examination up to and including in an arbitration or court setting.

• Need to ensure that all investigations conducted are thorough and equitable



Investigations Environment

• The environment for investigation includes the infrastructure, policies, personnel, techniques, culture and tools that assist an organization in conducting an investigation.



Subtopics

• Computer Forensics

• Incident Response and Handling

• Investigation, Interviewing and Interrogation

• Working with Outside Agencies



Computer Forensics

• Computer forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.



Digital Forensic Science (DFS)

“The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.”Source: (2001). Digital Forensic Research Workshop (DFRWS)



DFS Types of Analysis

• There is a consensus that there are at least 3 distinct types:– Media Analysis (Computer Forensics)

• Examining physical media for evidence

– Software Analysis (Software Forensics)• Review of software for malicious signatures, and

identity of author

– Network Analysis• Scrutinize network traffic and logs to identify and

locate cause



Keep in Mind:

All investigations must abide by the

Rules of Evidence

• Electronic evidence is fragile

• Integrity of the “scene”

• Admissibility in court

• Only one chance to do it correctly



Chain of Custody

• Helps protect the integrity and reliability of the evidence

• Effective process of documenting the complete journey of the evidence during the life of the case

• Allows you to answer the following questions:– Who collected it?– How & where?– Who took possession of it?– How was it stored & protected in storage?– Who took it out of storage & why?



Hearsay Rule

• Hearsay is second-hand evidence; normally not admissible.– Value depends on veracity and competence

of source.– Depending on the circumstance, business

records may be considered hearsay. • No first-hand proof of accuracy, reliability,

trustworthiness



Hearsay Rule, cont.

• In certain instances computer records fall outside of the hearsay rule (e.g., business records exemption)– Information relates to regular business

activities– Automatically computer generated data

• No human intervention • Prove system was operating correctly• Prove no one changed the data



Sources of Information/Evidence

• Oral (witnesses)– Written statements

• Written Documents

• Computer generated

• Visual/audio– During event

– After event



Admissibility of Computer EvidenceSubtopics

• Relevant

• Foundation of admissibility

• Legally permissible • Evidence identification and

preservation



Relevant

• Proof that crime occurred

• Documentation of events/time frame

• Identification of acts/methods

• Proof linking suspects - acts/methods

• Proof of suspect's motives



Foundation of Admissibility

• Witnesses that evidence is trustworthy – Custodian identity and custodian familiarity with IT

record procedures – Description of procedures – Precautions against errors and error correction – Reasons why portions of the media was erased – Collected through normal business methods – Reason for bypassing some procedures



Legally Permissible

• Avoid illegal acts – Unlawful obtaining of evidence – Unlawful search and seizure – Secret recording (except authorized by court) – Privacy violations (access to personal data) – Forced confessions/statements



Evidence Identification & Preservation

• Key aspects to processing and examining evidence:– Planning– Recognition– Preservation, collection and documentation– Classification, comparison and

individualization– Reconstruction



General Evidence Dos and Don'ts

• Minimize handling/corruption of original data

• Account for any changes and keep detailed logs of your actions

• Comply with the rules of evidence • Do not exceed your knowledge • Follow your local security policy and

obtain written permission



General Evidence Dos and Don'ts, cont.

• Capture as accurate an image of the system as possible

• Be prepared to testify • Ensure your actions are repeatable • Work fast • Proceed from volatile to persistent evidence • Don't run any programs on the affected system

Source: AusCERT 2003 (www.auscert.org)



IOCE

• In March 1998, the International Organization on Computer Evidence (IOCE) was appointed to draw international principles for the procedures relating to digital evidence, to ensure the harmonization of methods and practices among nations and guarantee the ability to use digital evidence collected by one state in the courts of another state.



IOCE-G8

The IOCE-G8 International Principles are governed by the following attributes:• Consistency with all legal systems;• Allowance for the use of a common language;• Durability;• Ability to cross international boundaries;• Ability to instill confidence in the integrity of the evidence;• Applicability to all forensic evidence; and• Applicability at every level, including that of individual,

agency, and country.



Six Principles of IOCE-G8

• When dealing with digital evidence, all of the general forensic and procedural principles must be applied.

• Upon seizing digital evidence, actions taken should not change that evidence.

• When it is necessary for a person to access original digital evidence, that person should be trained for the purpose.



Six Principles of IOCE-G8, cont.

• All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review.

• An Individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession.

• Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.



Forensic Image Data Acquisition

• In keeping with the 2nd IOCE-G8 principle, care must be taken not to change the evidence.

• Must be careful because– Examining a live file system changes the state of the

evidence – The computer/media is the “crime scene”

• Protecting the crime scene is paramount as once evidence is contaminated it cannot be decontaminated.



Forensic Copies

• Bit for Bit copying captures all the data on the copied media including hidden and residual data (e.g., slack space, swap, residue, unused space, deleted files etc.)

• Ensure integrity of source and image (e.g., hash functions)– MD-5 sum provides a 128 bit signature that is

sensitive to bit changes.– The reported hashes should match.



Acquisition Rules of Thumb

• Make 2 copies of the original media.– Primary Image – library/control copy

– Working Image – For analysis purposes

– Verify the integrity of the copies to the original

• If performing drive to drive imaging, use proofed media to copy to.– Zero the media



Subtopics







What is an Incident?

• Event: – An observable occurrence; an aspect of an

investigation that can be documented, verified, and analyzed.

• Incident: – An adverse event or series of events that

impacts the security or ability of an organization to conduct normal business



Incidents Include:

• Viruses and other malicious code• Hacker attack• Terrorist attack• Insider attack• Employee error• Unauthorized acts by employees• Competitive intelligence gathering• Hardware/Software malfunction



Goals of Incident Response

• Provide an effective and efficient means of dealing with the situation in a manner that reduces the potential impact to the organization.

• Provide management with sufficient information in order to decide on an appropriate course of action.

• Maintain or restore business continuity.• Defend against future attacks.• Deter attacks through investigation and

prosecution.



Incident Response SkillsSubtopics

• Skill sets required to meet the goals:

–Recognition Skills

–Technical Skills

–Response Skills



Recognition Skills

• Investigators must be able to recognize that an incident has occurred.– Abnormal activities– Suspicious activities– Malicious code activities– Pattern recognition– Alarms



Technical Skills

• Investigators need to possess the sufficient skills to be proficient when dealing with the technology.– Incident analysis– Audit trails, event logs– Incident logs – Forensic evidence collection and protection– Counter and/or corrective measures



Response Skills

Investigators need:

• Sufficient knowledge and training in order to proficiently execute the phases of the response escalation process.

• Ability to document and record all information related to the incident

• Ability to develop team leadership skills



Incident Response Team Members

• Incident response team members should include representation from various departments, such as:– Information Security – Legal– Human Resources– Public Relations– Communications

– Physical Security– Network Security– Network and Sys.

Administrators– Internal Auditors



Escalation Process

Three major sections of the escalation process:

• Triage– Notification and Identification

• Action/Reaction– Containment, Analysis, Tracking

• Follow up – Repair and Recovery, Prevention



Guidelines for Incident Response

Notification Identification Containment Analysis Tracking Repair

RecoveryPrevention

Triage Action/Reaction

Follow up

Feed Back



Triage

• The process of receiving, initial sorting, and prioritizing information to facilitate its appropriate handling.

• Detection– Notification of an event.– Identifying that an event has become an

incident.– Determine if incident has violated any policies

or laws.



Notification and Identification

• Alerted to the fact that something has happened.• Monitoring systems

– Intrusion Detection– Event logs

• Alert Function– Preferably automated

• Human decision– False positives



Action & Reaction

• Once an event becomes an incident it has to be dealt with in a legally appropriate manner in order to mitigate or reduce the impact.– Containment– Analysis– Tracking



Containment

• Containing the incident is vital. This may involve unplugging systems from the network, or from the Internet.

• Some incidents are contained over protracted time periods for analysis purposes.

• Isolating affected or infected systems.• Goal is to minimize the spread and thus the

damage.



Analysis

• Logs

• Audit Trails

• Information gathering to understand:– Who, what, when, where, why, and how

• Report to management



Tracking

• Source of the incident– Internal– External

• Point of entry or exit

• Must be done in a forensic friendly manner– Admissibility

• May involve outside organizations



Follow-up

• Once the incident has been dealt with it is necessary to conduct a debriefing in order to determine what went well and what did not.

• The findings must be “fed” back into the Incident Response process.



Repair & Recovery

• Reduce the damage– Reputation– Contractual obligations– Financial

• Protect environment while recovering– Limit services & functions

• Repair systems and environment



Sanctions

• Management decision based on information provided by the escalation phases

• Criminal• Civil• Job sanctions

– Termination– Suspension– Permanent file



Subtopics







Interviewing & Interrogation

Interviewing

• The purpose is to discover information

Interrogation

• The purpose is to obtain evidence for trial



Problem Areas

• Disclosing investigation

• Witness or suspect obtains useful information.

• Witness or suspect might flee before charges or bail

• Investigator deceived by witness or suspect



Trained Personnel

• Personnel should be properly trained

• Process – 1 lead plus 1-2 other team members. – Prepare topics or questions. – Put witness or suspect at ease. – Summarize information.



Motives

• The motives for committing computer related offences are the same as for the motives for general crimes. These include but are not limited to:– Revenge– Profit or financial need – Attention



Behavioral Evidence: Suspect

• Determine suspects – Internal or External – Suspect check list

• MOM– Means– Opportunity– Motives

• Vacation history • Prior employment • Recent consultants/temps



Enticement vs. Entrapment

Enticement

• The act of influencing by exciting hope or desire (e.g., honey nets)

Entrapment

• The act of inducing a person to commit a crime so that a criminal charge will be brought against them.



Subtopics







Policies & Procedures

• Need pre-approved policy and procedures for dealing with:– External reporting agencies

– Law Enforcement



External Reporting

• Include incident reference numbers• Contact information• Disclosure information• Summary of hosts involved• Description of activity• Log extracts showing the activity• Time zone and accuracy of your clock• Clarify what you would like from the recipient



What should you report?

• Any violations of security policy– Attempts– Denial of Service– Unauthorized use of a system– Unauthorized changes to hardware, software,

or firmware



Reporting to Law Enforcement

• Obtain management permission• Use a single point of contact (e.g. legal

dept.)• Provide detailed chronology• Provide all documentation, logs, data,

video tapes, etc.• Develop a formal procedure with the

assistance of local agency



Quick Quiz

• Define computer forensics.• What is the ‘chain of custody’ of

evidence?• What ensures the admissibility of

computer evidence?• What are the phases of incident

response capability?



Section Summary

• Computer forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.

• The chain of custody of evidence shows ‘control’ of the evidence, from the time that it is collected, to the time that it is presented in Court.

• Admissibility of computer evidence is ensured by its relevance, foundation of admissibility, legal permissibility, and proper identification and preservation of the evidence.

• Phases of the incident response escalation process include notification and identification, containment, analysis, tracking, repair and recovery, and prevention.



Ethics



Section Objectives

• Understand the ethical responsibilities of certain user groups within the organization.

• Understand and abide by the relevant codes of ethics for CISSPs.

• List the ethical guidelines relating to proper usage of the Internet.



Ethical Responsibilities (cont.)

• The CISSP needs to encourage adoption of ethical guidelines and standards

• The CISSP needs to inform users through security awareness training about ethical responsibilities.



Ethical Responsibilities

• Data collectors to data subjects– accuracy and privacy

• Data custodians to data owner – availability, integrity and confidentiality

• Data users to owners/subjects – confidentiality, integrity



Ethical Responsibilities (cont.)

• System users to system owner – availability, software integrity

• System managers to users – availability, integrity

• Users to other users – availability



Basis and Origin of Ethics

• Religion• Law• National Interest• Individual Rights

• Common good/interest

• Enlightened self interest

• Professional ethics/practices

• Standards of good practice

• Tradition/culture



Theories of Ethics

• Teleology

– Ethics of purpose or goal

– Utilitarianism, greatest good to greatest number

• Deontology

– Ethics of duty

– Frequently religious ethics are deontological



Common Ethical Fallacies

• Computer game

• Law-abiding citizen

• Shatterproof

• Candy-from-a-baby

• Hackers

• Free information



Codes of Ethics

• Relevant Professional Codes of Ethics include:– (ISC)2 and other professional codes of

ethics.

– Professional codes may have legal importance



(ISC)2 Code of Ethics Preamble

• Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.

• Therefore, strict adherence to this code is a condition of certification.



(ISC)2 Code of Ethics Canons

• Protect society, the commonwealth, and the infrastructure.

• Act honorably, honestly, justly, responsibly, and legally.

• Provide diligent and competent service to principals.

• Advance and protect the profession.



Ethics and the Internet RFC 1087

Access and use of the Internet is a

PRIVILEGE & should be treated as such by all users.



Internet Activities Board (IAB)

Any activity is unethical & unacceptable that

purposely:

• Seeks to gain unauthorized access to Internet

resources

• Disrupts the intended use of the Internet

• Wastes resources (people, capacity, computer)

through such actions



Internet Activities Board (IAB), cont.

• Destroys the integrity of computer-based

information

• Compromises the privacy of users

• Involves negligence in the conduct of

Internet-wide experiments



An Ethics Action Plan

• Corporate guide to computer ethics

• Business and computer ethics policy

• Ethics included in employee handbook

• Computer ethics training campaign

• E-mail and other privacy-related policy

development



Ethics Reviews

• Security Reviews

• Monitoring Employees

• Review of Corporate Culture• Fraud detection and awareness

• Sales Practices

• Purchasing Procedures

• Competitive Intelligence Gathering



Violation Reports

• Complaints from Customers, Vendors, employees investigated thoroughly

• How many complaints received

• Employee turnover in a department higher than average



Ethics Summary

• Awareness and Training– Have regular training programs and

management statements to raise ethics consciousness

• Reward ethical practices

• Implement ethics action plan



Quick Quiz

• What are the ethical responsibilities of data collectors, custodians of data, and users?

• What is the main principle of the Internet Activities Board’s RFC 1087?

• What are key strategies for organizations in dealing with ethics?



Section Summary

• Ethical responsibilities of data collectors are to ensure the accuracy and security of the information belonging to the owners of the data. Responsibilities of custodians include ensuring the security of the information belonging to owners. Responsibilities of users include ensuring the confidentiality and availability of data.

• The Internet Activities Board summarizes it’s RFC1087 by saying that ‘usage of the Internet is a privilege and that is the way that it should be treated by all users’.

• Organizations should implement awareness programs, ethics policies, corporate guides, employee handbooks, and reward good ethical practices, to ensure the ethical behavior of all employees.

